winget-cli
winget-cli copied to clipboard
microsoft
Separate Archive Scan argument related to security from `--force`
- [x] Have you signed the Contributor License Agreement?
- [ ] Are you working against an Issue?
A change was recently made to make the hash override argument different from the --force argument on the basis that it has heavy implications on security and that those security implications should not be as easy to bypass as just adding on a "standard" parameter. This PR does the same thing for the archive malware scan.
This is implemented as a more generic ignore-security-checks argument. The reason for this is twofold - 1) The archive scan comes after the hash validation. The security implications of skipping this check (as opposed to the hash check) are lower, and therefore a less-specific argument can be used (just something less generic than --force) and 2) This argument will be expansible to other security-related actions. One such example would be if/when CVE data is integrated, a user would be able to use the new argument to confirm they wish to install a package with a known vulnerability.
This is not a breaking change as the archive scan behavior has only been included in pre-release, where behavior is subject to change.
Microsoft Reviewers: Open in CodeFlow
How about --ignore-archive-malware-scan ?
I'd also like to know why we're thinking about enabling this behavior. Do we think there are false positives? Or is this just to be "more" complete? I believe we would want another administrator required setting to be able to "enable" a user to be able to pass this argument as well.
We're adding a policy for this specific scenario related to the certificate pinning for the "msstore" source. We would likely need a policy for this scenario as well.
Mentioning @AmelBawa-msft since he's looking at the other policy.
I'd also like to know why we're thinking about enabling this behavior. Do we think there are false positives? Or is this just to be "more" complete?
Using the latest dev build on the latest release of paint.net (local manifest) flags it as malware even though it is not, likely due to the inclusion of the dll's in the zip file
I believe we would want another administrator required setting to be able to "enable" a user to be able to pass this argument as well.
Understandable. When --force was changed to no longer be the hash override, though, it no longer requires an admin setting. I can certainly see value in adding it, but I would imagine it more as a separate feature
How about --ignore-archive-malware-scan ?
I suppose this gets back to user experience. Would there be a necessity for having individual arguments for all security checks? I'm imagining a case where a user is attempting to install a .zip package with a hash mismatch, fails malware scan (false positive), and has known CVE. The implementation in this PR would allow winget install <package> --ignore-security-hash --ignore-security-checks. Using an individual argument would necessitate winget install <package> --ignore-security-hash --ignore-archive-scan --ignore-cves. I think either way would be fine, but I was presuming that if a user was willing to bypass an archive scan or CVE data, they would want to bypass the other security checks as well
Or maybe "bypass" as the other policy is written.
I wrote this with the same concept as hash override. If bypass is preferred, I would suggest all security related arguments use bypass. This can still be done, as 1.4 is not in stable yet
https://github.com/microsoft/winget-cli/blob/edfc884fd3a54ff1cda372bbe7588d8025d0e1e1/src/AppInstallerCLICore/Argument.cpp#L60-L61
I would say for this one, it's not actually "bypassing", we still perform the check but "ignore" the results.
I'd also like to know why we're thinking about enabling this behavior. Do we think there are false positives? Or is this just to be "more" complete?
Using the latest dev build on the latest release of paint.net (local manifest) flags it as malware even though it is not, likely due to the inclusion of the dll's in the zip file
This seems like a problem; @ryfu-msft should look at that. From my understanding, Pure has a fairly extensive set of "bad" it will detect. We should filter that to the appropriate ones for our scenario.
Understandable. When --force was changed to no longer be the hash override, though, it no longer requires an admin setting. I can certainly see value in adding it, but I would imagine it more as a separate feature
And @yao-msft should look into that if true. The admin setting should still be required.
How about --ignore-archive-malware-scan ?
I prefer a specific flag per security related thing. Yes, it means more flags to pass, but it also means that you opted in to ignoring each one failing, rather than opting in to the ones that existed when you wrote your script.
Understandable. When --force was changed to no longer be the hash override, though, it no longer requires an admin setting. I can certainly see value in adding it, but I would imagine it more as a separate feature
And @yao-msft should look into that if true. The admin setting should still be required.
I think there might be some misunderstanding here? The HashOverride was never behind an admin setting, the only admin settings we have are EnableLocalManifests and EnableBypassStoreCertPinning. HashOverride was behind a group policy, and it still is behind it after the change. And we block HashOverride if it's running as admin.
Adding group policy for ignore-malware-scan is new work though.
I prefer a specific flag per security related thing. Yes, it means more flags to pass, but it also means that you opted in to ignoring each one failing, rather than opting in to the ones that existed when you wrote your script.
I switched to the more specific --ignore-malware-scan
Adding group policy for ignore-malware-scan is new work though.
I believe I added everything needed for group policy
@Trenly as fyi, all group policy values and strings will need to be reviewed by some Microsoft internal team, so these naming/description may need to be changed after review (we'll put comments to the pr).
Also group policy changes require OS side changes, we'll merge this pr after OS side changes are merged.
@Trenly as fyi, all group policy values and strings will need to be reviewed by some Microsoft internal team, so these naming/description may need to be changed after review (we'll put comments to the pr).
Also group policy changes require OS side changes, we'll merge this pr after OS side changes are merged.
Thank you for the info!
Hi @Trenly
The group policy review has finished. The review team has made some naming suggestions. Mainly we should be more specific about what this policy does.
Can you apply the changes and merge with latest code base? If you don't have time, may I push the changes to your branch?
Thanks
@check-spelling-bot Report
:red_circle: Please review
See the :open_file_folder: files view or the :scroll:action log for details.
Unrecognized words (1673)
aconf
acroformtool
actime
adb
adcl
addb
ADDBNDDIRE
ADDFILEINEXISTINGZIP
ADDINZIP
addl
addler
addpoint
addq
addsuffix
addthis
adelaide
adler
adr
adrret
AFile
Ahvenlampi
AIAIAIAIAIAIA
alain
ALDAN
Alexey
allshared
allstatic
aloop
amigaos
amk
andb
andl
andq
Andrzej
andthis
anisimkov
Aonix
aopt
appnote
arcname
AREGTYPE
ARFLAGS
armv
arrayasolutions
ARRR
ASFLAGS
Asmflags
ASMINF
ASMS
ASMV
assmebler
Asumes
atari
atarist
Athlon
Attension
attrb
AUTOMAKE
autoselect
axp
BADZIPFILE
bak
Bakker
balign
bcc
bclose
bcopy
beahvior
beenhere
Beihang
BEOS
BERGEN
bestlen
bestlend
Betts
Beucler
BFINAL
bflush
bgcolor
bget
bhelp
BIGBUFSIZE
BINFILES
bitbuf
bitcnt
bitlen
bitslong
bjoern
BKUPIFSNAME
Blammo
blbits
blcodes
blen
blindex
BLKTYPE
bload
BLOCKSIZE
bname
BNDDIR
bndsrc
bobdl
bonnefoy
bopen
bopt
Borca
borgsys
borland
BORLANDC
Borstel
Bosmans
Botlan
broonie
Broukhis
bsd
bsfw
bsize
bskip
Bson
bstate
bstream
BTYPE
buflen
BUFREADCOMMENT
BUFSIZ
bugtraq
bugzilla
builddir
BUILDFIXED
Burik
BYFOUR
bytary
BYTEBITS
bytecodes
Bytef
bythirds
bzalloc
bzfree
bziped
bzlib
cachefly
caddr
Cadieux
caltech
carrefull
Caruana
CASESENSITIVITY
CASESENSITIVITYDEFAULT
CASESENSITIVITYDEFAULTVALUE
casestudies
castleproject
catchorg
ccflags
CCheck
ccopt
ccrc
CCSID
cdef
cdh
cdir
centraldir
centralheader
CENTRALHEADERMAGIC
cfa
CFBF
CFILES
cflags
cfz
chainlen
chainlenwmask
charf
Charlap
checkfn
Chemeris
chksum
chng
chofz
choosen
CHOST
CHR
christop
CHRTYPE
Chupahin
CINFO
Clarius
clen
cloexec
Clure
cmakedefine
CMakefile
cmakein
CMBND
cmovng
cmovngl
cmovnl
cmpb
cmpl
cmpq
cmpress
Cmps
cmpw
cmr
codecount
CODEOWNERS
codetype
Coghlan
coments
Compaq
comparision
compearing
complen
completly
compr
compres
comprlen
Comression
comsize
concantenated
confh
consts
CONTTYPE
copymeta
copyout
Cosmin
cosmint
couse
cov
Coverity
cpan
cparm
cpluplus
cplusplus
CPPFILES
CPPFLAGS
cpr
cpsize
cranies
CRCERROR
CRCs
CREATEAFTER
Creech
CRTBNDDIR
CRTCMOD
CRTDLL
CRTDUPOBJ
CRTL
CRTLIB
CRTSRCPF
CRTSRVPGM
crypthead
crypting
csh
csource
Ctrm
CURDIR
curfile
curlen
curmatch
curmatchd
currentfile
currenty
curretly
cvs
CXe
CXXFLAGS
Cybozu
cygwin
cygz
Cyrix
Dalsnes
Darbois
DATAA
datablock
datasize
DATASPHERE
davispuh
dbakker
dbase
DBGVIEW
dbits
DCheck
dcode
ddr
dealloc
DEBND
decc
decomp
decompresed
decompressd
decompressor
DEEND
defaut
defcpr
Defl
deflatestate
DEIN
Dellaca
delphi
delte
depedent
depl
DEPSDIR
derivated
derrived
descrip
DESTDIR
destlen
devkitarm
devkitpro
devmajor
devminor
dext
dfa
dictid
Diekhans
diffs
DINFOZIP
DIRTYPE
distbits
distclean
distcnt
distcode
DISTEXT
DISTFILES
distfix
distlen
distribtution
dists
distsym
DJDIR
djgpp
dlname
DLocator
dlversion
dmask
dmax
Dmitriy
DNO
dnrsl
dnsrl
DOBIG
dodist
dolen
DOLIT
Donais
donwload
dosdate
dostime
dotzlib
Dpos
DRecord
DROPBITS
Dropbox
DSIZE
DTAFMT
dtree
DUMPDIR
DUPLICATEALIAS
DYLD
dylib
dynamiclib
dynazip
DYNBNDDIR
easilty
eax
ebp
ebx
ECCN
ECompression
ecx
edd
Eddelbuettel
EDecompression
edi
EDTF
edu
eduardo
edx
eeee
eeeee
Eerror
eetbeetee
efah
eflags
eief
Elahi
Elemar
elems
ello
empted
emx
emximp
emxomfar
Enchance
endef
ENDHEADERMAGIC
ENDLOCHEADERMAGIC
endp
ENDPGMEXP
endproc
endsource
endsubroutine
eob
EOC
eocd
eocdl
eocdr
eod
eol
eprefix
eqs
equ
ERCIM
Eron
errclose
errnum
ERRORREXX
esac
esi
eso
essex
etags
eurexchange
Evain
exabytes
examplesh
Exarevsky
execve
exitval
EXLEN
exmples
explicitely
EXPOR
EXPORTVA
EXPREFIX
extened
extproc
extr
extractdir
extrafield
extrainfo
extsize
exvlo
EZlib
fabricbot
facil
falloc
Fanslau
Fantoftvegen
fao
FAQs
farcall
farfree
farmalloc
Farshid
fastcall
FBuffer
fcalloc
FCHECK
fcntl
FCOMMENT
FDICT
fdopen
Fearnley
Fedtke
feloop
FEXTRA
fff
fffffef
fffffffffffffef
ffffffffh
FFFFh
fffh
ffunc
FHCRC
Fiala
fifield
FIFOTYPE
filebuffer
filedate
Fileflags
filefunc
fileinfo
filemane
filenameinzip
filestream
filetime
fillbuf
fillzffunc
filnam
fiow
fitblk
fixedtables
FIXLCODES
fjoin
FLa
Flate
FLEVEL
FLG
Flgvmat
Flinffas
Flinffasx
Flmatch
flushbuf
FLUSHCODE
fmemcmp
fmemcpy
fmemset
fnc
fnsize
follwed
formely
FORPARSING
fout
Frodo
FROMLIB
Frysinger
fseeki
fseeko
FStrm
ftelli
ftello
ftestexist
FTEXT
ftime
ftm
FUJITSU
fxxxx
Gailly
gcc
gcclib
gcda
gcno
GCopyright
gcov
gdal
Genererate
getheader
getjpi
getoct
getsyi
Gflags
Giersig
ginstall
globalcomment
globbing
globl
gname
gnatmake
gnatwcfilopru
gnatyabcefhiklmnoprst
gnuc
GNUCC
gnupg
GNUTYPE
Gomes
google
gosub
gpflag
gpr
Greef
Groffen
gsi
Guevarra
Gulles
gunpipe
gvmat
gvmatch
gxs
gzappend
gzbody
gzbuffer
GZBUFSIZE
gzclearerr
gzclose
GZCOMPRESS
gzcopy
gzdirect
gzdopen
gzeek
gzeof
gzerror
gzext
gzfilebuf
gzfilestream
gzflags
gzflush
gzfread
gzfwrite
gzgetc
gzgets
gzguts
gzhead
gzheader
gzifstream
gzindex
gzinit
gzio
gziped
gzipped
gzjoin
gzlib
gzlog
gzoffset
gzofstream
gzomanip
gzopen
gzprint
gzprintf
gzputc
gzputs
gzread
gzrewind
gzs
gzscan
gzseek
gzsetparams
gztack
gztell
gzungetc
gzvprintf
gzwrite
Haan
Hainley
Haksi
halloc
Haruhiko
havedict
hbuf
HCLEN
hcrc
HDIST
hdone
hdr
headerp
headr
henrik
Herborth
hfree
highwater
Hildenborg
Hirschberg
hlibz
HLIT
hloop
hoehrmann
Holmgren
Homurlu
Horvath
HOS
hotmail
HOWTO
HPFS
HPUX
huffman
huft
icbt
icc
iconr
idel
idl
ietf
IFCRYPTALLOWED
ifd
ifeq
ifneq
IFSDIR
IFSFILE
IIf
ijs
implib
improvment
inbuf
INCDIR
INCDIRFIRST
INCLUDECRYPTINGCODE
includedir
incnt
incompartible
INCOPY
incq
INDATABLOCK
indp
INEND
INFA
infback
infblock
infcodes
infcover
inffas
inffast
inffasx
inffix
infoserve
infozip
inftest
inftree
infun
infutil
Ingy
inhow
ININ
INITBITS
inlen
inmemory
inname
INSEDI
insertor
instream
INSY
INTABL
interix
INTERNALERROR
interntal
interupted
intf
invalidparameter
inzip
ioapi
iowin
irix
irrez
isable
isdst
ISSPECIAL
itu
izstream
JELMER
jhainley
jloup
jnc
jne
jon
joran
Kazuho
kbytes
Kconform
Keio
kevin
keyshift
KFree
Kientzle
Kirill
KJk
Kleinert
Klomp
Kohlhoff
KPIC
kreuzerkrieg
Krinke
Krzemienski
ksh
Kuchling
Kuno
Kupries
LARGEFILE
lastbit
lastblock
lasterr
lastest
lastoff
lastslash
lbase
lbits
lcc
lcode
lcompr
LDADD
ldconfig
ldef
LDFLAGS
ldi
ldinext
LDLIBS
LDSHARED
LDSHAREDLIBC
leaq
Lelewer
Lempel
lenb
lenbits
lencnt
lencode
LENEXT
lenfix
lenlen
lensym
Lepilleur
lext
lfh
LGCHUNK
libc
LIBCMT
libdefs
libdest
libdir
libgz
LIBIFSNAME
LIBL
libminizip
LIBNAME
LIBNDS
libopt
libpng
LIBRARYN
libz
libzdll
libzip
libzshr
Lillge
limitd
Linhart
linkedlist
Linkflags
linkname
linkonly
linkto
LINX
LIres
listfiles
litcnt
litcode
litlen
litsym
lld
Llopis
llu
lmask
lng
lngfnc
lngpvt
lnk
LNKTYPE
LOADONCALL
LOCALETYPE
LOCALHEADER
LOCALHEADERMAGIC
localstatedir
locft
loctm
lodsl
logd
LOGID
Lohmann
Loitsch
Londer
Longf
LONGLINK
longlong
LONGNAME
Looijaard
lopts
Lovset
LPCTSTR
LPCWSTR
lpdw
LPWORD
lseek
lseeki
LTLIBRARIES
ltree
lunpipe
Lvl
lzw
MACTYPES
madler
mak
MAKECRCH
makedepend
makedir
makefiles
makefixed
Makeit
makelcc
maketree
MAKEULONG
malbrech
mandoc
mapfile
markn
marknelson
Marot
masm
masmdl
masmx
matchname
mathias
mathod
MATSUURA
MAXBITS
MAXCODES
MAXD
MAXDCODES
maxed
MAXFILENAME
MAXFILENAMEINZIP
MAXLCODES
MAXSEG
MAXU
MAXWIN
mbc
MBR
mcr
mdef
mdsos
Metrowerks
metux
Micael
minigzip
minigzipsh
miniunz
miniunzip
minizip
minzip
Mitsunari
mkasm
mktemp
MKWERKS
mman
mmap
mmap'ed
mmap'ing
MMD
mmk
mms
mmx
MNG
modft
modific
MODIFSNAME
modtime
module'mod
modulos
Moene
Mohanathas
Mokrejs
Monnerat
Moretti
mostlyclean
movb
movl
movzbl
movzwl
mozilla
MPROP
mrdone
mrloop
mrsloop
msc
MSCVER
msdos
msgbuf
msvc
MSVCR
MSVCRT
msym
mtest
mthumb
mtune
Mula
MULTIVOL
munmap
muppetlabs
MWERKS
MWKERKS
myalloc
mydef
mydir
myfree
mymkdir
myndkryme
myproc
myrec
mytest
mztools
nastygram
nbytes
ncode
ndist
nds
Necasek
NEEDBITS
negl
nes
nevetheless
newdate
newdir
NEWOBJ
Newsham
Nex
nextlen
Ngth
nicematch
Nieder
Niessink
nih
nihilo
Nikl
Nintendo
nintendods
nitems
nlen
nlm
nlohmann
nmake
NMAX
nnn
NOBYFOUR
noconf
NOCRYPT
noe
nofac
noi
NOICONS
noident
nolog
nologo
Nomssi
NONSTDC
noopt
noprefix
Norwitz
nosever
NOSINT
nospan
NOSTACKCHECK
NOSTKCHK
NOSUCHFILE
notdir
notext
notlifo
notw
NOUNCRYPT
NOUNDERLINE
novell
NOVER
NOVERSION
nprintf
nroff
Nyffenegger
Nzali
Oait
Oberhumer
OBJA
OBJC
OBJG
OBJP
OBJPA
OBJTYPE
OBJZ
obry
oflag
oilrtfm
Okt
Oku
Okumura
olb
oldnewthing
olist
oml
ommit
onefile
OOXML
opportunites
OPTALIAS
OPTCOMP
OPTDEP
Opteron
optf
optfile
OPTGO
Optimisation
OPTINL
OPTINLINE
OPTINLOCAL
OPTLOOP
OPTPEEP
OPTRDEP
OPTSCHED
OPTTIME
origlen
oring
orq
Osma
oss
OSX
ouput
ourselfs
outbuf
outcnt
outd
Outercurve
outf
outfun
outhow
outlen
outnname
outputresource
ozstream
paag
paches
packcode
palmzlib
parafernalia
PARAMERROR
PARMS
partcompress
particuarly
pbegin
PByte
PChar
Pcn
pcount
pcrc
pdflib
Pehrson
pentium
perfomed
perlfaq
pez
pfile
pfilefunc
pgcc
pglobal
PGMLVL
pigz
pkeys
pkgconfig
pkgconfigdir
pkware
pkzip
pmqs
poffset
Pohland
Poltorak
Polushin
popl
popt
Posf
POSTINC
ppend
PPro
pqdownheap
pqremove
prevlen
procptr
PROT
Prouse
Pth
ptm
pufftest
puft
PULLBYTE
pushebp
pushebx
pushedi
pushesi
pushf
pushl
putbackfail
pwinerror
Pzd
pziinit
pzlib
QDOS
Qing
qmaxmem
qnx
qpg
QPM
QSH
qshell
QSYS
Quines
raiter
randeg
ranlib
ravn
RAWLEN
rbp
rbrown
RCDLEN
RCFLAGS
rcs
rcx
rdi
rdpartysource
rdx
readabilty
readin
readmore
READWRITEFILTER
rearchitecting
recived
recomended
recompresses
recompressing
recreting
recsize
redhat
redistributable
referece
REGTYPE
Reinholdtsen
relativefilepath
remaing
reocmpression
REPZ
reseting
resourcestring
retval
rfc
rfm
rios
riscos
rocksoft
rodgers
rodin
roff
rommable
rpath
rpi
RSDS
rsi
rsp
rsxnt
rtl
rtti
Rudiak
Ruland
RWTH
Rzesniowiecki
Sangwine
sarl
Sarwate
sas
SASC
savefilenameinzip
scanalign
scanalignd
scanend
scanendw
scanstart
scanstartw
Schiffer
Schlafly
Schluper
Schrum
Schwaderer
schwardt
Schweda
scl
SCOPTIONS
scppc
SCRIPTDIR
securityfocus
seekable
segfault
Senisivity
setcompression
setcompressionlevel
setcompressionstrategy
setenv
setfiletime
setmode
settime
SFILES
SFLAGS
sfx
sgid
Shachar
SHAREDLIB
sharedlibdir
SHAREDLIBIMP
SHAREDLIBM
SHAREDLIBV
Shigeo
SHLIB
shll
shlq
shopt
SHORTNAMESIZE
shrl
shrq
Simplfy
simplied
sirena
Sitebuilder
Siz
SIZECENTRALDIRITEM
SIZECENTRALHEADER
SIZEDATA
sizet
SIZEZIPLOCALHEADER
slib
Smake
SMakefile
SMALLBUFSIZE
Sobrado
somes
soname
sonda
sourcelen
SOVERSION
specfied
spetsified
Squeezeflags
srcdir
srcfil
SRCFILE
SRCMBR
SRCPF
SRCS
SRCSTMF
SRVPGM
startproc
stat'ing
STATBNDDIR
stategy
STATEm
STATEn
statep
STATEw
STATEx
STATICLIB
stdarg
STDC
stddef
stdint
STEDD
STMF
Stoks
strarg
strat
strcasecmp
strcmpcasenosensitive
STRCMPCASENOSENTIVEFUNCTION
strcmpi
strdup
streamp
strend
STREQUAL
strerror
STRICTUNZIP
STRICTZIP
STRICTZIPUNZIP
strm
STRMERGE
Stroustrup
STRPGMEXP
strstart
strtime
structore
strwinerror
subb
subl
subq
SUBREVISION
sunfreeware
Suport
suppors
suse
Svensson
svn
swtch
Symantec
syms
SYMTYPE
sync'ed
syncsearch
sysconfdir
SYSIFCOPT
systemnotsupported
SYSTEMTIME
Tagunz
Tagzip
Takanori
TAlloc
tarball
TARGETLIB
tarmode
tartime
TASM
taz
TBLS
tcc
tcl
TColor
TCompression
tconfig
tcrc
tcsh
TCustom
TDecompression
tds
Technolgies
tempdir
TEMPFILE
Tencent
Teredesai
Terje
testb
testdll
testerror
TESTFILE
testi
testl
testo
testreuslt
testshared
teststatic
testt
testw
testz
testzlib
Teterin
TFree
TGTCCSID
TGTRLS
tgz
tgzarchive
THL
Thorsen
Thorson
tlen
tlib
tmperr
tmphdrfile
tmpptr
tmpsh
tmpst
tmu
tmz
tmzip
TNotify
TObject
TOCCSID
TOOBJ
TOOFAR
Toolflags
TOPDIR
topt
Torok
Torri
Toshiaki
totin
totout
totsym
Tracec
Tracecv
Tracev
Tracevv
treebuild
tristanpenman
trnlnm
Truta
tryboth
TRYFREE
tstream
tttt
TURBOC
txtvsbin
tyge
typedef'ed
typedefed
typedefs
TYPEDO
typeflag
ubbcluj
uch
uchf
Ucp
udpate
ulg
ulongs
uncompr
uncompress
uncompressing
Uncompression
uncpr
uncpsize
uncrypt
undersubscribed
ungobbled
uninitialised
unistd
unixio
Unkn
untabify
untgz
unusued
unz
unzeof
unztell
updatewindow
upgradable
usenix
USEWIN
USEWINDOWS
ushf
UTILLIB
utimbuf
UWIN
UXP
vagul
Vainstein
Valgrind
varargs
varsize
vaxc
vaxcrtl
Vcdfimorst
VCL
vda
vec
VERNUM
VERSIONMADEBY
visualc
vlink
vmap
vmod
vms
vmsdefs
vnocompatwarnings
voidnp
voidp
voidpc
voidpf
VOLHDR
vollant
VPATH
vsconfig
vset
vstudio
Walles
Wassenhove
watcom
WATCOMC
wbits
wcc
WCE
wcl
wday
WDK
webdocs
weblogs
websites
Wegner
Weigelt
WFLAGS
whave
WIDECHAR
wikipedia
winapifamily
WINAPIV
windowbestlen
windowlen
windres
wingetutil
winimage
WINSIZE
winver
winzip
withoutpath
wlib
wmake
wmask
wnext
Wojciech
woot
wopen
wraplen
WRITEBUFFERSIZE
wsize
wustl
xar
xarch
xbits
xcode
XFL
xflag
xflgs
xlc
XLEN
xmlmultiple
xmm
xorl
xsom
xtarget
xtra
XTSTEP
xvmsutils
xxd
Yakimov
Yasuhiro
ycombinator
Zabolotny
zachary
zalloc
zbsm
ZCALLBACK
zcalloc
zcat
zcfree
zclose
zconfh
zconst
zcpr
ZCR
Zcrtdll
zdecode
zdef
zdll
zdoc
zencode
zerr
zerror
ZEXPORT
ZEXPORTVA
ZEXTERN
zfile
Zfname
zfree
zfstream
Zhu
ziinit
zilb
ZINCOUT
zinser
zipcharpc
zipfi
zipfile
zipfilename
zipfilenamearg
ziplib
zipok
zlb
zless
zlibd
zlibdefs
ZLIBIOAPI
zlibpas
zlibrc
zlibstatic
zlibvc
ZLIBWAPI
zmem
zmemcmp
zmemcpy
zmemzero
Znotfound
Zomf
zopen
Zouzou
zpipe
ZPOS
zprefix
zpull
zran
zread
zseek
zstate
zstream
zstreamp
zstrerror
zstringlen
zstrm
Zsuffix
ZSWAP
ztell
ztest
zutil
Zwin
zwrite
Previously acknowledged words that are now absent
acl anonymized asm badbit Baz brk Buf CDEF cend cfr chcp ci Concat cstdint Ctx curated CYRL dirs dw endian enums EQU ERANGE errno fd FSharp ftp GES gitlab Google gz htm img IObject jp KF Kp langs LATN lhs Lifecycle llvm localhost lw lz memcpy middleware msdn multimap mx nullopt NX openmode pb psd psm px pz qb rbegin readonly rhs SARL Screenshot semver serializer streambuf strtoull SUSE textarea tpl typeof ubuntu uintptr ul UNSCOPED UPSERT uris URLs USHORT utils uuid virtualization vscode vy wcslen website wn Workflows zy :arrow_right:Some files were automatically ignored
These sample patterns would exclude them:
^\Qsrc/PureLib/pure/AUTHORS\E$
^\Qsrc/PureLib/pure/zlib/contrib/blast/test.pk\E$
^\Qsrc/PureLib/pure/zlib/contrib/blast/test.txt\E$
^\Qsrc/PureLib/pure/zlib/contrib/masmx64/bld_ml64.bat\E$
^\Qsrc/PureLib/pure/zlib/contrib/puff/zeros.raw\E$
You should consider adding them to:
.github/actions/spelling/excludes.txt
File matching is via Perl regular expressions.
To check these files, more of their words need to be in the dictionary than not. You can use patterns.txt to exclude portions, add items to the dictionary (e.g. by adding them to allow.txt), or fix typos.
To accept :heavy_check_mark: these unrecognized words as correct and remove the previously acknowledged and now absent words, run the following commands
... in a clone of the [email protected]:Trenly/winget-cli.git repository
on the SecurityRelatedCheck branch (:information_source: how do I use this?):
curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.21/apply.pl' |
perl - 'https://github.com/microsoft/winget-cli/actions/runs/3690193501/attempts/1'
Available :books: dictionaries could cover words not in the :blue_book: dictionary
This includes both expected items (477) from .github/actions/spelling/expect.txt and unrecognized words (1673)
| Dictionary | Entries | Covers |
|---|---|---|
| cspell:cpp/src/cpp.txt | 30216 | 248 |
| cspell:win32/src/win32.txt | 53509 | 49 |
| cspell:python/src/python/python-lib.txt | 3873 | 32 |
| cspell:php/php.txt | 2597 | 32 |
| cspell:java/java.txt | 7642 | 31 |
| cspell:python/src/common/extra.txt | 741 | 13 |
| cspell:r/src/r.txt | 808 | 9 |
| cspell:python/src/python/python.txt | 453 | 8 |
| cspell:golang/go.txt | 3412 | 6 |
| cspell:django/django.txt | 859 | 6 |
Consider adding them using (in .github/workflows/spelling3.yml):
with:
extra_dictionaries:
cspell:cpp/src/cpp.txt
cspell:win32/src/win32.txt
cspell:python/src/python/python-lib.txt
cspell:php/php.txt
cspell:java/java.txt
cspell:python/src/common/extra.txt
cspell:r/src/r.txt
cspell:python/src/python/python.txt
cspell:golang/go.txt
cspell:django/django.txt
To stop checking additional dictionaries, add:
with:
check_extra_dictionaries: ''
Errors (4)
See the :open_file_folder: files view or the :scroll:action log for details.
| :x: Errors | Count |
|---|---|
| :information_source: binary-file | 2 |
| :x: check-file-path | 33 |
| :x: forbidden-pattern | 18 |
| :information_source: noisy-file | 3 |
See :x: Event descriptions for more information.
If the flagged items are false positives
If items relate to a ...
-
binary file (or some other file you wouldn't want to check at all).
Please add a file path to the
excludes.txtfile matching the containing file.File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.
^refers to the file's path from the root of the repository, so^README\.md$would exclude README.md (on whichever branch you're using). -
well-formed pattern.
If you can write a pattern that would match it, try adding it to the
patterns.txtfile.Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.
Note that patterns can't match multiline strings.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@check-spelling-bot Report
:red_circle: Please review
See the :open_file_folder: files view or the :scroll:action log for details.
Unrecognized words (1)
Scann
To accept :heavy_check_mark: these unrecognized words as correct, run the following commands
... in a clone of the [email protected]:Trenly/winget-cli.git repository
on the SecurityRelatedCheck branch (:information_source: how do I use this?):
curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.21/apply.pl' |
perl - 'https://github.com/microsoft/winget-cli/actions/runs/3690281528/attempts/1'
Available :books: dictionaries could cover words not in the :blue_book: dictionary
This includes both expected items (399) from .github/actions/spelling/expect.txt and unrecognized words (1)
| Dictionary | Entries | Covers |
|---|---|---|
| cspell:cpp/src/cpp.txt | 30216 | 26 |
| cspell:win32/src/win32.txt | 53509 | 18 |
| cspell:python/src/python/python-lib.txt | 3873 | 7 |
| cspell:php/php.txt | 2597 | 6 |
| cspell:java/java.txt | 7642 | 5 |
| cspell:python/src/python/python.txt | 453 | 3 |
| cspell:python/src/common/extra.txt | 741 | 3 |
| cspell:django/django.txt | 859 | 3 |
| cspell:typescript/typescript.txt | 1211 | 2 |
| cspell:npm/npm.txt | 288 | 2 |
Consider adding them using (in .github/workflows/spelling3.yml):
with:
extra_dictionaries:
cspell:cpp/src/cpp.txt
cspell:win32/src/win32.txt
cspell:python/src/python/python-lib.txt
cspell:php/php.txt
cspell:java/java.txt
cspell:python/src/python/python.txt
cspell:python/src/common/extra.txt
cspell:django/django.txt
cspell:typescript/typescript.txt
cspell:npm/npm.txt
To stop checking additional dictionaries, add:
with:
check_extra_dictionaries: ''
If the flagged items are :exploding_head: false positives
If items relate to a ...
-
binary file (or some other file you wouldn't want to check at all).
Please add a file path to the
excludes.txtfile matching the containing file.File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.
^refers to the file's path from the root of the repository, so^README\.md$would exclude README.md (on whichever branch you're using). -
well-formed pattern.
If you can write a pattern that would match it, try adding it to the
patterns.txtfile.Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.
Note that patterns can't match multiline strings.
@check-spelling-bot Report
:red_circle: Please review
See the :open_file_folder: files view or the :scroll:action log for details.
Unrecognized words (1)
Scann
To accept :heavy_check_mark: these unrecognized words as correct, run the following commands
... in a clone of the [email protected]:Trenly/winget-cli.git repository
on the SecurityRelatedCheck branch (:information_source: how do I use this?):
curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.21/apply.pl' |
perl - 'https://github.com/microsoft/winget-cli/actions/runs/3690289878/attempts/1'
Available :books: dictionaries could cover words not in the :blue_book: dictionary
This includes both expected items (399) from .github/actions/spelling/expect.txt and unrecognized words (1)
| Dictionary | Entries | Covers |
|---|---|---|
| cspell:cpp/src/cpp.txt | 30216 | 26 |
| cspell:win32/src/win32.txt | 53509 | 18 |
| cspell:python/src/python/python-lib.txt | 3873 | 7 |
| cspell:php/php.txt | 2597 | 6 |
| cspell:java/java.txt | 7642 | 5 |
| cspell:python/src/python/python.txt | 453 | 3 |
| cspell:python/src/common/extra.txt | 741 | 3 |
| cspell:django/django.txt | 859 | 3 |
| cspell:typescript/typescript.txt | 1211 | 2 |
| cspell:npm/npm.txt | 288 | 2 |
Consider adding them using (in .github/workflows/spelling3.yml):
with:
extra_dictionaries:
cspell:cpp/src/cpp.txt
cspell:win32/src/win32.txt
cspell:python/src/python/python-lib.txt
cspell:php/php.txt
cspell:java/java.txt
cspell:python/src/python/python.txt
cspell:python/src/common/extra.txt
cspell:django/django.txt
cspell:typescript/typescript.txt
cspell:npm/npm.txt
To stop checking additional dictionaries, add:
with:
check_extra_dictionaries: ''
If the flagged items are :exploding_head: false positives
If items relate to a ...
-
binary file (or some other file you wouldn't want to check at all).
Please add a file path to the
excludes.txtfile matching the containing file.File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.
^refers to the file's path from the root of the repository, so^README\.md$would exclude README.md (on whichever branch you're using). -
well-formed pattern.
If you can write a pattern that would match it, try adding it to the
patterns.txtfile.Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.
Note that patterns can't match multiline strings.
@check-spelling-bot Report
:red_circle: Please review
See the :open_file_folder: files view or the :scroll:action log for details.
Unrecognized words (1)
Scann
To accept :heavy_check_mark: these unrecognized words as correct, run the following commands
... in a clone of the [email protected]:Trenly/winget-cli.git repository
on the SecurityRelatedCheck branch (:information_source: how do I use this?):
curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.21/apply.pl' |
perl - 'https://github.com/microsoft/winget-cli/actions/runs/3690300582/attempts/1'
Available :books: dictionaries could cover words not in the :blue_book: dictionary
This includes both expected items (399) from .github/actions/spelling/expect.txt and unrecognized words (1)
| Dictionary | Entries | Covers |
|---|---|---|
| cspell:cpp/src/cpp.txt | 30216 | 26 |
| cspell:win32/src/win32.txt | 53509 | 18 |
| cspell:python/src/python/python-lib.txt | 3873 | 7 |
| cspell:php/php.txt | 2597 | 6 |
| cspell:java/java.txt | 7642 | 5 |
| cspell:python/src/python/python.txt | 453 | 3 |
| cspell:python/src/common/extra.txt | 741 | 3 |
| cspell:django/django.txt | 859 | 3 |
| cspell:typescript/typescript.txt | 1211 | 2 |
| cspell:npm/npm.txt | 288 | 2 |
Consider adding them using (in .github/workflows/spelling3.yml):
with:
extra_dictionaries:
cspell:cpp/src/cpp.txt
cspell:win32/src/win32.txt
cspell:python/src/python/python-lib.txt
cspell:php/php.txt
cspell:java/java.txt
cspell:python/src/python/python.txt
cspell:python/src/common/extra.txt
cspell:django/django.txt
cspell:typescript/typescript.txt
cspell:npm/npm.txt
To stop checking additional dictionaries, add:
with:
check_extra_dictionaries: ''
If the flagged items are :exploding_head: false positives
If items relate to a ...
-
binary file (or some other file you wouldn't want to check at all).
Please add a file path to the
excludes.txtfile matching the containing file.File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.
^refers to the file's path from the root of the repository, so^README\.md$would exclude README.md (on whichever branch you're using). -
well-formed pattern.
If you can write a pattern that would match it, try adding it to the
patterns.txtfile.Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.
Note that patterns can't match multiline strings.
Hi @Trenly
The group policy review has finished. The review team has made some naming suggestions. Mainly we should be more specific about what this policy does.
Can you apply the changes and merge with latest code base? If you don't have time, may I push the changes to your branch?
Thanks
I think I applied them. There were several merge conflicts with the latest code base. I think I fixed everything now, but I wouldn't be surprised if I made a mistake. If something fails, just give me a nudge (or feel free to commit right to the branch, whichever is easiest for you)
![azure-pipelines[bot] avatar](https://avatars.githubusercontent.com/in/9426?v=4 "Published by a pub.dev verified publisher"){kind=small}
Yep, I definitely did something wrong
<testcase classname="AppInstallerCLITests.exe.global" name="InstallFlow_Zip_ArchiveScanOverride" time="0.0">
<failure message="installOutput.str().find(Resource::LocString(Resource::String::ArchiveFailedMalwareScanOverridden).get()) != std::string::npos" type="REQUIRE">
FAILED:
REQUIRE( installOutput.str().find(Resource::LocString(Resource::String::ArchiveFailedMalwareScanOverridden).get()) != std::string::npos )
with expansion:
4294967295 (0xffffffff)
!=
4294967295 (0xffffffff)
\x1B[0mFound \x1B[96mAppInstaller Test Zip Installer\x1B[0m [\x1B[96mAppInstallerCliTest.TestZipInstaller\x1B[0m] Version 1.0.0.0
\x1B[0mThis application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
\x1B[0mSuccessfully verified installer hash
\x1B[91mArchive scan detected malware. To override this check use --ignore-local-archive-malware-scan
at D:\a\1\s\src\AppInstallerCLITests\WorkFlow.cpp(1311)
</failure>
<failure type="FAIL_CHECK">
FAILED:
Unused override
\x1B[0mFound \x1B[96mAppInstaller Test Zip Installer\x1B[0m [\x1B[96mAppInstallerCliTest.TestZipInstaller\x1B[0m] Version 1.0.0.0
\x1B[0mThis application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
\x1B[0mSuccessfully verified installer hash
\x1B[91mArchive scan detected malware. To override this check use --ignore-local-archive-malware-scan
at D:\a\1\s\src\AppInstallerCLITests\WorkFlow.cpp(504)
</failure>
<failure type="FAIL_CHECK">
FAILED:
Unused override
\x1B[0mFound \x1B[96mAppInstaller Test Zip Installer\x1B[0m [\x1B[96mAppInstallerCliTest.TestZipInstaller\x1B[0m] Version 1.0.0.0
\x1B[0mThis application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
\x1B[0mSuccessfully verified installer hash
\x1B[91mArchive scan detected malware. To override this check use --ignore-local-archive-malware-scan
at D:\a\1\s\src\AppInstallerCLITests\WorkFlow.cpp(504)
</failure>
</testcase>
/azp run
Same error; I don't quite understand it 😞
<testcase classname="AppInstallerCLITests.exe.global" name="InstallFlow_Zip_ArchiveScanOverride" time="0.0">
<failure message="installOutput.str().find(Resource::LocString(Resource::String::ArchiveFailedMalwareScanOverridden).get()) != std::string::npos" type="REQUIRE">
FAILED:
REQUIRE( installOutput.str().find(Resource::LocString(Resource::String::ArchiveFailedMalwareScanOverridden).get()) != std::string::npos )
with expansion:
4294967295 (0xffffffff)
!=
4294967295 (0xffffffff)
\x1B[0mFound \x1B[96mAppInstaller Test Zip Installer\x1B[0m [\x1B[96mAppInstallerCliTest.TestZipInstaller\x1B[0m] Version 1.0.0.0
\x1B[0mThis application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
\x1B[0mSuccessfully verified installer hash
\x1B[91mArchive scan detected malware. To override this check use --ignore-local-archive-malware-scan
at D:\a\1\s\src\AppInstallerCLITests\WorkFlow.cpp(1311)
</failure>
<failure type="FAIL_CHECK">
FAILED:
Unused override
\x1B[0mFound \x1B[96mAppInstaller Test Zip Installer\x1B[0m [\x1B[96mAppInstallerCliTest.TestZipInstaller\x1B[0m] Version 1.0.0.0
\x1B[0mThis application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
\x1B[0mSuccessfully verified installer hash
\x1B[91mArchive scan detected malware. To override this check use --ignore-local-archive-malware-scan
at D:\a\1\s\src\AppInstallerCLITests\WorkFlow.cpp(504)
</failure>
<failure type="FAIL_CHECK">
FAILED:
Unused override
\x1B[0mFound \x1B[96mAppInstaller Test Zip Installer\x1B[0m [\x1B[96mAppInstallerCliTest.TestZipInstaller\x1B[0m] Version 1.0.0.0
\x1B[0mThis application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
\x1B[0mSuccessfully verified installer hash
\x1B[91mArchive scan detected malware. To override this check use --ignore-local-archive-malware-scan
at D:\a\1\s\src\AppInstallerCLITests\WorkFlow.cpp(504)
</failure>
</testcase>
The parameter here needs to be updated with the new arg https://github.com/microsoft/winget-cli/blob/050056a6ceb46dcd62127da112255dceed8114f1/src/AppInstallerCLITests/WorkFlow.cpp#L1301
The parameter here needs to be updated with the new arg
https://github.com/microsoft/winget-cli/blob/050056a6ceb46dcd62127da112255dceed8114f1/src/AppInstallerCLITests/WorkFlow.cpp#L1301
I must be blind, though I do see you got to it before I did; Thank you